[strategy] Tunisia: Business Landscape and Technical Infrastructure

Business solution

In order to provide a clear understanding of the IT and Business landscape in Tunisia, we will proceed to introduce our solutions, according to the specifics of the market, and the competition landscape.

This work has been laid down in an extensive business report, related to the btndlabs.io project.

This analysis will start from the more general points in the Business solution section, i.e. Vink-io's policy, presentation of the stakeholders etc...

In the Technical Solution section we will cover more specific points, related to the technology, benchmark and our operational approach to the Tunisian market.

Policy and Community Building

We are an open-source company, and keep an open doors policy to our stakeholders in Europe, and in Tunisia.

We plan to share our know-how with our customers and partners, so they can consider how to build reliable systems, in a complicated market. We are confident in our competences, and we are certain that good technology is not built behind closed doors.

Information Technology is a continuously evolving field, where we learn from the environment where we evolve, as it is the case with our peers in Berlin. In parallel, peer companies in Tunisia would help us harden the Tunisian financial system overall.

Stakeholders

To define our business operations, we must first draw a picture of our direct stakeholders, by order of priority for us to monetize our services.

From our perspective as providers of the service "BTND Payments", we have 4 main stakeholders to which we will adopt a relevant commercial approach, and to which respectively provide a Unique Selling Point:

• Merchant websites

Our main target segment is the companies that compose the Tunisian private sector, i.e. online business founders, and established commercial entities who deployed a merchant website. We simplify payment integration on their websites, regardless of their technology.

• Banks and payment providers

Our second most important target group is the Tunisian financial institutions, banks and payment providers (wallet developers, credit card providers, or else) who wish to enable their customers to pay online. We are also stack-agnostic for this target segment, and allow our partners to reduce their operational risk, and become compliant to international standards through using our infrastructure.

• Technical community

Our technical stakeholders are the European technical community who can validate/discuss the most critical topics, the international technical community at-large with whom we can share techniques and benchmarks, and the nascent Tunisian technical community with whom we can share our knowledge, rally, exchange and hire (for the best elements in the Tunisian community).

• Regulators

Our last target group is the international regulators and players, and the Tunisian regulators for whom we are available to provide good counsel, if we can establish a trust-based relationship. We have also planned to set up audit and fraud control protocols, that are embedded in our systems, and available for auditors according to international standards and regulations.

Unique selling points

In this section we will define how our services will be perceived by the two first segments.

• Payment processor for merchant websites

For our main target segment, we will operate as a payment processor who can provide a technical solution to the digital payment problem. For this stakeholder we must also provide a better service quality and availability.

In this sense, we are required to provide a simple software, a fast and robust settlement process, and become a trusted financial counterpart, capable of minimizing counterpart exposure.

• Technical provider and risk manager for banks

For our banking stakeholders, they will be able to consume our services either by developing their own end-point payment solution (their own app, website, trading engine...), or by connecting their core banking API to our systems.

We are required to provide a secure infrastructure to these stakeholders, so they can out-source the risk. We must also provide a better quality service and availability.

Since our operations are compliant with international regulations and standards by default, we can enable those players to interact with the international markets.

Customer acquisition

Our commercial plan focus is the first segment, i.e. is the merchant websites.

Thanks to the efforts of our marketing team, we have kicked off the acquisition and establishment of a database of Tunisian companies, and started their prospection.

As shown below, the market is still at its first stages, which opens for us a tremendous business opportunity to gain market shares, and a leading business position.

After a preliminary research, we found out that very few companies have a proper IT strategy. Young companies like artify.tn or Dabchy do not have the capability to process payments, nor to provide a reliable online experience which is their main business.

Well-funded companies like fatales Tunisie do not have an online checkout process; and in case they would, the transaction would have been insecure as their SSL certificate is expired, as shown below (upper left corner of the snapshot). This small detail would expose their customers to man-in-the-middle attack, among other possibilities.

We must note that our efforts can not go faster than the actual merchants themselves, as we have noticed a very rudimentary approach to digital stores across the companies we have found. This opens for us a business opportunity, as we will solve the issues related to payment security for these nascent companies.

Technical Solution

Competitive landscape

An overview of the available solutions in Tunisia does not really help in determining the potential of the market, nor assess the technical capabilities of the players active in this sector in Tunisia.

Solutions (like D17 or Tunisie Monetique) provide very mediocre services that are to some instances slower than physical money (48h settlement for gpg checkout). All of these payment "solutions" make their users more vulnerable to theft (of private data and funds). At best, we can determine that the Tunisian payment landscape is weak from a technical perspective, and is vulnerable to external attacks. By induction, these solutions weaken the technical integrity of the Tunisian economy.

Our goal is to provide a robust and secure solution, to help companies expand their online business, and help fintech companies to step up their competences, and normalize exigent security standards in our sector.

We do not expect the Tunisian banks, nor the Tunisian merchants, to have the required competences to store the secrets related to digital payment operations. We justify this proposition with an objective argument: Tunisian companies can not afford the right competences; and when they do, international competent programmers will hardly accept to work under the specific Tunisian conditions.

Equally, we would not trust shady or suspicious individuals, or brick and-mortar business owners, to safely store our physical money, especially if they do not have a physical vault. That would contradict basic preventive measures for a matter as critical as money.

Benchmarks & Requirements

In the light of this market situation, we can guarantee the provision of services under the following requirements to our stakeholders:

• Quality Management:

Our back-end must be capable of providing a fast service (settlement in less than 1 second), a reliable service (SLA and 99.9999% uptime), and our teams must be able to support the merchants and banks in their integration (24h rotations, support contracts).

• Operational Security:

We must comply to exigent security requirements, according to critical infrastructure management frameworks (we will disclose them in a later document).

This aspect is human-intensive and requires highly competent personnel. Additionally, this aspect requires the setup of protocols related to security issues (bug tracking, vulnerability disclosure protocols, code audits and penetration tests), that are necessary investments to be competitive internationally.

• Interoperability:

We must adopt a flexible and simple architecture, that would enable us to be compatible with the majority of the merchant websites, and banking partners.

Technology and Staffing

Our technical operations rely heavily on skilled individuals, and covers a large spectrum of activities, from research to deployment.

To be able to operate as a trusted payment facilitator, we will process in-house the sensitive aspects of any digital payment operation, by storing sensitive data on hardened and anonymized relational databases 10 (PPI, credit card numbers, behavior), and by implementing robust cryptographic protocols for data on-premise or in transit. These measures are necessary to be compliant (GDPR), and interoperable with international players. To minimize technical debt, they must be implemented en-amont of system conception.

Additionally, we have in-house capabilities to build custom algorithms, test or compare different implementations. We also build our own custom containers, for an enhanced performance and security.

For additional security, we rely exclusively on audited solutions and tools, and we ultimately adopt the highest standards for cryptographic key management (or PKI), Identity Access Management (IAM), and end-point security.

Our teams can perform internal technical audits, and we are experienced with threat modelling, intrusion monitoring and incident response. In general terms, we have the internal capability to break down a system to its algorithmic level, optimize its performance, and secure it from malicious actors, in a strictly defensive fashion.

To guarantee the best service to our customers and partners, we comply to several requirements and certifications for system conception, development, deployment and maintenance. All of these processes comply to highly exigent quality management standards end-to-end.

In addition to these operational and industrial standards, we rely on highly specialized competences who take security issues seriously, and are bound to strict behavior even in their own personal lives. Internally, we are well trained on specific operational protocols (opsec), like vulnerability disclosure procedures and critical infrastructure management, as we follow strictly several of the security frameworks mentioned above

To complement the technical arsenal and knowledge that we dispose of, we also work with a highly selective network of international technologists, and rely solely on the professional opinion of trusted practitioners, i.e. professionals from the investment banking, risk management and legal sectors.

Conclusion

In complement to the Tunisian political and legal landscape post, this analysis aims to provide a clear understanding of the IT business opportunities in Tunisia.

The work in this regard is still on-going, and we are looking for the next step.